Editor’s notes: Mobile forensic investigations are faced with all sorts of difficulties every day. And today we are going to talk about forensic data extraction from Huawei devices. When preliminary extractions fail for a Huawei device, we have to try more complicated strategies like rooting or flashing the target device. This is when we will be facing the annoying bootloader lock. So in this article, let’s see how SalvationDATA forensic experts deal with the bootloader lock of Huawei devices.

SalvationDATA Mobile Forensics Bootloader

Why is unlocking Bootloader special and difficult for Huawei?

In order to set a limitation to smartphone users and prevent them from doing unwanted operations, Huawei developers set up a Bootloader lock (BL lock) to their Android system. BL lock forbids us to flash a custom OS or acquire root access. Such operations are usually a critical step in a mobile forensic investigation, this is why we must find a way to unlock Bootloader.

2

Even if you can unlock Bootloader, the problem is still far from solved. In order to secure the smartphone user’s private data, Huawei developers set another deadly trap. For Huawei smartphones installed with 6.0 or higher version systems, the user’s data will be wiped clean as soon as the Bootloader is unlocked. This brings great challenges to the mobile forensic works with Huawei devices.

How to unlock Bootloader without wiping user data?

Unlocking the Bootloader is actually the easy part, but how can we avoid wiping the user data when unlocking Bootloader, after all the user data is what really matters.

According to our forensic expert’s research, the program code of wiping user data is written in the Recovery partition. So if we can clear the Recovery partition before unlocking Bootloader, the operation to wipe user data will never be executed!

Important notice:

  • The solution introduced below is highly risky, please make sure you possess required professional technics before using it on your real cases.
  • There are usually more than just one recovery partitions, make sure to clear them all before unlocking Bootloader.

Preparations

  • Check all physical buttons, and make sure they are functioning.
  • Acquire the unlock code for your model.

Step 1.

Enter fastboot mode, use adb tools to acquire device system info and BL lock-state. Command lines are shown in the fig below.

3

Step 2.

Now we have the system build number, we can use this number to find the official ROM pack online. From the ROM pack we are able to know exactly how many recovery partitions are in the Huawei device, and what are their names.

For example, after unzipping the ROM pack, we found two recovery partitions named ‘RECOVERY’ and ‘ERECOVERY’, see below fig.

4

Step 3.

Temporarily disable FB lock. Then only proceed to the next step after you make sure that all Recovery are cleared. Then use the unlock code to unlock the Bootloader lock.

SalvationDATA Mobile Forensics Bootloader

Step 4.

Reboot, now the device will boot to the official Recovery and report an error. Ignore it and force enter fastboot mode, then we can freely flash a custom Recovery and forensically extract the smartphone data.

Conclusion

So in order to avoid wiping user data when unlocking Bootloader lock, the key step is to clear all recovery partitions. Recovery partition can be verified by downloading the official ROM pack according to your target Huawei device’s system build number. The common Recovery names of Huawei devices are:

recovery, recovery2, erecovery, recovery_ramdisk, erecovery_ramdisk

Check out our blog posts and website for more practical forensic solutions. You can also download our integrated smartphone forensic system SPF Pro from our resource page and get your free trial now!